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Abstract 


Idealized  CSP  is  a  programming  language  combining  simply  typed,  call-by¬ 
name  procedures  with  asynchronous  communicating  processes.  The  language 
also  generalizes  Reynolds’  Idealized  Algol  by  adding  typed  channels  and  the 
ability  to  spawn  parallel  processes.  Procedures  permit  the  encapsulation  of 
common  communication  protocols  and  parallel  programming  idioms.  Local 
variables  and  local  channel  declarations  provide  a  way  to  delimit  the  scope 
of  interference  between  parallel  agents.  The  combination  of  procedures  and 
communicating  parallelism  raises  significant  semantic  problems.  We  show — 
perhaps  surprisingly,  given  the  fundamental  differences  in  underlying  process 
model — that  ideas  used  to  model  the  combination  of  shared-variable  paral¬ 
lelism  and  procedures  can  be  adapted  to  the  communication-based  setting. 
This  is  further  evidence  in  favor  of  the  orthogonality  of  procedures  and  con¬ 
currency,  and  also  shows  that  the  shared-variable  and  communication-based 
paradigms  have  a  lot  in  common,  semantically.  Our  semantics  introduces 
a  generalization  of  “transition  traces”  and  “possible  worlds”,  incorporating 
an  “object-oriented”  treatment  of  channels.  The  semantics  supports  reason¬ 
ing  about  safety  and  liveness  properties  of  processes  at  the  same  time  as 
validating  natural  laws  of  functional  programming. 


1  Introduction 


We  introduce  a  programming  language  combining  a  simply  typed,  caJl-by- 
name  procedure  mechanism  with  a  generalized  version  of  CSP[8],  in  which 
parallel  processes  communicate  by  message-passing.  Our  generalization  of 
Hoare’s  language  follows  familiar  lines:  we  allow  nested  parallelism,  while  in 
the  original  language  each  parallel  component  was  required  to  be  sequential; 
and  we  use  named  channels,  as  in  occam,  rather  than  process  names,  since 
this  yields  a  more  flexible  communication  mechanism.  The  inclusion  of  nested 
parallelism  makes  the  language  more  uniform  and  causes  no  extra  difficulties 
from  a  semantic  point  of  view.  We  also  allow  recursive  process  definitions,  so 
that  processes  may  be  created  dynamically.  In  contrast  to  the  original  CSP, 
in  which  communication  was  assumed  to  be  implemented  by  synchronized 
handshake,  we  assume  an  asynchronous  model  for  communication:  output 
is  non-blocking,  but  an  input  request  blocks  until  data  is  available.  The 
synchronous  style  of  communication  can,  nevertheless,  be  simulated  in  the 
asynchronous  setting.  To  acknowledge  the  language’s  intellectual  debts  to 
Idealized  Algol  and  CSP  we  call  it  Idealized  CSP. 

The  combination  of  procedures  and  parallelism  yields  a  language  in  which 
CSP-like  process  definitions  can  be  encapsulated  and  manipulated  by  means 
of  procedure  declarations  and  calls.  Procedures  permit  encapsulation  of  com¬ 
mon  communication  protocols,  such  as  the  alternating-bit  protocol.  Local 
variables  and  local  channels  provide  a  way  to  delimit  the  scope  of  interference 
between  parallel  agents.  For  example,  the  following  procedures,  written  in  a 
syntactically  sugared  notation,  encapsulate  a  common  way  to  build  (integer¬ 
carrying)  buffers  in  CSP: 

procedure  buffi  (in,  out)  = 

newvar[int]  x  in  while  true  do  (m?x;  outlx); 

procedure  buff  (in,  out)  = 

newchan[int]  mid  in  buffi  (in,  mid)  ||  buffi  (mid,  out); 

In  any  call  to  buff,  locality  of  the  channel  mid  guarantees  that  the  actual 
parameters  of  the  call  are  distinct  from  mid.  The  correct  behavior  of  this 
procedure  depends  crucially  on  the  inability  of  the  two  calls  to  buffi  to  inter¬ 
act  except  via  the  local  channel.  Intuitively,  provided  in  and  out  denote  dis¬ 
tinct  channels,  buffi  (in, out)  behaves  like  a  one-place  buffer  and  buff  (in,  out) 
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behaves  like  an  unbounded  buffer. 

Combining  procedures  and  communicating  processes  raises  significant  se¬ 
mantic  problems.  Indeed,  most  existing  semantic  models  for  CSP-like  lan¬ 
guages  do  not  incorporate  procedures,  and  most  existing  semantic  models 
for  procedures  seem  unsuitable  for  a  process  language  like  CSP.  This  pa¬ 
per  shows  that,  despite  the  fundamental  differences  in  the  underlying  model 
of  computation,  the  ideas  behind  our  earlier  work  on  shared-variable  paral¬ 
lelism  can  be  adapted  to  the  setting  of  communicating  processes.  In  [3]  we 
used  “transition  traces”  to  build  a  simple  fully  abstract  model  for  a  shared- 
vaxiable  parallel  language.  In  [4]  we  showed  how  to  incorporate  a  procedure 
mechanism  based  on  the  simply  typed  call-by-name  A-calculus,  obtaining  an 
idealized  language  called  Parallel  Algol.  Our  semantics  for  Parallel  Algol 
combined  transition  traces  with  “possible  worlds” [13,  15,  12]  in  a  “modular” 
style,  bringing  out  the  orthogonality  of  procedures  and  shared-variable  con¬ 
currency.  We  will  show  that  with  suitable  generalization  and  adjustment,  we 
can  obtain  a  semaiatics  for  Idealized  CSP  by  similar  means.  In  one  sense, 
this  is  perhaps  not  so  surprising:  it  also  seems  intuitive  that  procedures 
and  communication-based  concurrency  should  be  orthogonal.  The  surprise 
is  that  transition  traces,  which  seem  to  be  tailored  for  the  shared-variable 
paradigm,  and  possible  worlds,  which  appear  best  suited  for  modelling  im¬ 
perative  programming,  can  be  adapted  to  deal  with  communication-based 
programs.  This  also  points  out  the  fundamental  role  of  transition  traces  as 
a  common  semantic  basis  for  the  shared-variable  and  communication-based 
paradigms. 

2  Syntax 

The  type  structure  of  our  language  is  standard,  essentially  as  in  [15]  but  with 
the  addition  of  typed  channels.  We  use  r  to  range  over  data  types  and  6  to 
range  over  phrase  types,  as  specified  by  the  following  abstract  grammar: 

6  ::=  exp[r]  |  var[r]  |  chan[r]  j  comm  |  {6—^9')  \  0x9' 

T  ::=  int  j  bool 

Data  types  represent  sets  of  storable  and  communicable  values. 

Let  i  range  over  the  set  of  identifiers.  A  type  environment  tt  is  a  partial 
function  from  identifiers  to  types.  Let  (tt,  t :  0)  be  the  type  environment  that 
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agrees  with  tt  except  that  it  maps  t  to  6. 

A  type  judgement  of  form  tt  h  P  :  ^  is  interpreted  as  saying  that  phrase  P 
has  type  $  in  type  environment  tt.  The  collection  of  valid  judgements  is  char¬ 
acterized  as  usual  by  a  set  of  syntax-directed  inference  rules;  Figure  1  gives 
a  representative  sample.  The  language  contains  the  usual  arithmetic  and 
boolean  operations,  together  with  the  usual  CSP-style  constructs  (including 
input-output  guarded  commands,  parallel  and  sequential  composition)  and 
the  simply  typed  A-calculus. 

3  Semantics 

The  combination  of  procedures  and  communicating  parallelism  raises  signif¬ 
icant  problems:  we  need  a  semantics  which  clearly  brings  out  the  potential 
for  communication  and  interference  between  parallel  commands  while  still 
supporting  naive  methods  of  reasoning  based  on  the  laws  of  the  A-calculus 
(such  as  the  /?-law,  or  fixed-point  properties  of  recursive  procedures).  Our 
approach  generalizes  transition  traces[3]  and  possible  worlds[15,  13]  to  deal 
with  channels  and  communication.  We  summarize  briefly  some  of  the  key 
background  concepts. 

3.1  Transition  traces 

A  “transition  trace”  is  a  finite  or  infinite  sequence  of  pairs  of  states, 

(so,  Sq)(Si, Sj)  . . .  (s„,  s„) .  .  . 

representing  a  generalized  computation  of  a  command  during  which  the  state 
is  changed  as  indicated:  steps  from  si  to  sj  being  caused  by  the  command, 
changes  from  s(-  to  s,+i  being  made  by  the  command’s  environment.  This  kind 
of  structure  is  very  natural  for  modelling  shaxed-variable  parallelism,  since 
interference  is  captured  precisely  by  state  changes  “across  step  boundaries” . 
Transition  traces  have  been  used  to  give  denotational  semantics  to  a  simple 
shared- variable  language,  originally  by  Park[14],  and  more  recently  in  [3]  to 
achieve  full  abstraction,  by  imposing  certain  closure  conditions  on  trace  sets. 
In  particular,  a  trace  set  T  is  said  to  be  closed  under  stuttering  if  every  trace 
obtained  from  a  trace  in  T  by  inserting  steps  of  the  form  (s,  s)  also  belongs 
to  T ;  and  T  is  closed  under  mumbling  if  every  trace  obtained  from  a  trace 
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TT  H  skip  :  comm 


'k\-  X  :  var[r]  tt  h  £  :  exp[T] 

TT  h  X:=E  :  comm 

TT,  L  :  var[r]  h  P  :  comm 
TT  f-  newvar[r]  i  in  P  :  comm 

n  h  :  chan[r]  tt  h  P  :  exp[T] 

TT  t-  h\E  :  comm 

TT  h  /i :  chan[r]  tt  h  X  :  var[T] 

7r  h  h‘!X  :  comm 

TT  h  Pi  :  comm  tt  h  P2 :  comm 
TT  h  P1IIP2  :  comm 

TT,  L :  chan[T]  h  P  :  comm 
TT  H  newchan[r]  i  in  P  :  comm 

Trrr? 

TT,L :  6  ^  P  :  6 
7r  h  rec  t  :  6.P  :  6 

■K,L-.d\-  P -.e' 

TT  h  Ai :  0.P  :  (0  ->  0') 

4 

ttHP:^^^'  ttV-Q-.B 
TT  h  P(g)  :  O' 

Figure  1:  Some  rules  for  type  judgements 


in  T  by  replacing  adjacent  steps  of  the  form  {s,s'){$\s")  by  {s,s'')  is  also  in 
T.  The  closure  conditions  are  designed  to  ensure  that  each  step  (s,  s')  in  a 
trace  represents  a  finite  (possibly  empty)  sequence  of  atomic  actions.  When 
r  is  a  trace  set  we  write  for  its  closure,  the  smallest  closed  set  containing 
T  as  a  subset. 

3.2  Possible  worlds 

The  main  idea  behind  the  extension  to  include  procedures  [4]  is  the  realiza¬ 
tion  that  possible-worlds  semantics[15,  13]  and  the  more  refined  relationally 
parametric  model  of  [12],  used  earlier  to  interpret  a  sequential  Algol-like 
language,  can  be  adapted  to  the  shared-variable  setting. 

Instead  of  assuming  a  global  set  S  of  states,  we  work  with  a  category 
whose  objects,  or  possible  worlds,  represent  states  with  a  given  store  shape, 
and  whose  morphisms  correspond  to  the  introduction  of  local  variables,  or 
more  abstractly  to  “expansions”  of  store  shape.  The  trace  semantics  may 
then  be  parameterized  in  terms  of  the  underlying  world:  each  type  denotes  a 
functor  from  worlds  into  domains,  and  each  well-typed  phrase  denotes  a  nat¬ 
ural  transformation  from  an  environment  functor  to  the  corresponding  result 
type  functor.  Because  of  the  nature  of  morphisms  in  the  worlds  category, 
naturality  imposes  certain  “locality”  constraints,  intuitively  of  the  form  that 
a  “global”  entity  cannot  interfere  with  a  “local”  entity.  The  functor  category, 
whose  objects  axe  functors  from  worlds  to  domains,  with  natural  transfor¬ 
mations  as  morphisms,  is  cartesian  closed;  this  provides  a  canonical  way  to 
interpret  the  A-calculus. 

3.3  Incorporating  communications  into  state 

In  traditional  accounts  of  the  semantics  of  communicating  processes  channel 
names  (or  process  names,  or  some  similar  kind  of  communication  label)  play 
a  prominent  role.  For  instance  [5]  uses  “communication  traces”  of  the  form 
(s,p,  s'),  where  s  and  s'  are  states  and  p  is  a  sequence  of  labels  of  the  form 
/i?n,  h\n  or  e  (indicating  an  “internal”  action  such  as  assignment).  Yet  from 
an  abstract  point  of  view  the  reliance  on  channel  names  seems  awkward.  By 
analogy,  in  traditional  storage-based  models  of  sequential  imperative  pro¬ 
gramming  languages  locations  play  a  prominent  role;  yet  the  precise  nature 
of  locations  is  irrelevant,  and  details  concerning  storage  management  may 
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invalidate  certain  natural  laws  of  program  equivalence.  We  therefore  seek 
a  semantics  in  which  channel  names  are  handled  more  implicitly  than  in 
traditional  trace  semantics. 

The  location  problem  is  avoided  in  the  possible  worlds  setting,  because 
locations  are  only  dealt  with  implicitly:  in  essence,  a  location  corresponds  to 
a  component  in  the  structure  of  a  world.  For  instance,  the  world  Vint  x  Vhooi 
consists  of  states  with  two  “locations”,  one  capable  of  holding  an  integer 
and  one  of  holding  a  truth  value.  The  world  Vhooi  x  V^t  is  isomorphic  to 
the  above  world,  and  therefore  essentially  indistinguishable.  In  seeking  a 
name-free  account  of  channels  we  will  adopt  a  similar  approach. 

Each  channel  potentially  carries  a  sequence  of  data  values.  Over  the 
course  of  an  entire  computation  an  individual  channel  may  participate  in  an 
infinite  sequence  of  communications,  but  at  each  stage  only  finitely  many 
actions  have  occurred.  It  follows  that  we  can  regard  the  state  as  a  collection 
of  components  representing  (ordinary)  variables,  together  with  a  collection 
of  components  representing  channels,  each  holding  a  finite  sequence  of  data 
values.  For  instance,  the  world  V^t  x  Vhooi  x  represents  states  with 
one  integer  variable,  one  boolean  variable,  and  one  integer  channel.  In  a 
particular  state  the  sequence  of  values  in  the  channel  component  represents 
the  values  that  have  been  output  to  the  channel  and  not  yet  taken  off  by  an 
inputting  process.  By  embedding  channel  histories  into  states  in  this  way, 
we  pave  the  way  for  an  adaptation  of  the  transition  traces  approach  to  the 
setting  of  communicating  processes.  In  outline,  the  meaning  of  a  process  at 
world  W  is  a  set  of  finite  or  infinite  sequences  of  pairs  of  states: 

IcommlW  =  x  W)°°), 

exactly  as  in  our  earlier  semantics  of  shared-variable  programs.  Again  as 
in  the  earlier  model,  we  work  with  trace  sets  closed  under  stuttering  and 
mumbUng,  so  that  each  step  in  a  trace  represents  a  finite  sequence  of  atomic 
actions.  Now,  however,  since  channels  form  part  of  the  state,  we  can  account 
properly  for  message-passing  between  processes.  A  trace  of  the  form  indi¬ 
cated  above  now  represents  a  possible  computation  of  a  process  assuming 
certain  patterns  of  communication  with  its  environment  (modelled  as  “state 
changes  between  steps”).  Assuming  a  fair  scheduler,  the  behavior  of  a  sys¬ 
tem  of  processes  can  be  built  by  fairly  interleaving  traces  of  the  individual 
processes,  using  a  suitable  form  of  interleaving  that  permits  synchronization 
of  matching  input  and  output. 
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3.4  An  object-oriented  interpretation  of  channels 

A  key  ingredient  in  the  possible  worlds  semantics  of  sequential  Algol  is  an 
“object-oriented”  view  of  variables,  originally  proposed  by  Reynolds  [15]:  a 
variable  of  data  type  r  can  be  represented  as  a  pair  consisting  of  an  acceptor^ 
which  when  supplied  with  a  value  of  type  r  yields  a  command  value  whose 
effect  describes  how  to  “update”  the  vaxiable,  and  an  expression  value  giving 
the  “current”  value  of  the  variable.  A  key  innovation  in  our  new  set-up  is  the 
realization  that  channels  may  also  be  given  an  “object-oriented”  semantics. 

A  channel  (of  data  type  r)  has  two  capabilities:  one  can  output  a  value 
of  type  r  to  it,  which  will  have  the  effect  of  enqueueing  this  value;  and 
one  can  input  from  the  channel,  which  (when  the  channel  sequence  is  non¬ 
empty)  yields  a  value  of  the  appropriate  type  obtained  by  dequeueing.  Both 
the  dequeueing  and  enqueueing  operations  can  be  modelled  abstractly  as 
command  values,  since  —  with  this  incorporation  of  channels  into  the  state 
—  they  cause  a  state  change.  This  suggests  the  following  semantics  for 
channel  types^: 

|chan[r]JkF  =  (K  |comm|W^)  x  ([exp[T]]iy  x  |comm]lT) 

In  this  paper  we  give  a  treatment  of  channels  in  which  output  is  regarded 
as  asynchronous  (non-blocking)  but  an  attempt  to  input  from  an  empty  chan¬ 
nel  will  block.  Alternatives  are  discussed  briefly  at  the  end  of  the  paper. 

3.5  Examples 

Because  of  space  limitations,  we  omit  the  semantic  details  in  favor  of  some 
simple  examples  which  illustrate  the  main  ideas. 

Suppose  we  have  declared  an  integer  variable  x  and  an  integer  channel  h, 
corresponding  to  a  world  of  form  W  =  Vint  x  Vint  •  Let  u  be  an  environment 
consistent  with  this  set-up,  so  that  x  is  bound  to  a  variable  corresponding 
to  the  first  component  of  the  state,  and  h  is  bound  to  a  channel  value  whose 
input  and  output  capabilities  involve  the  second  component  of  the  state.  We 
will  write  n.p  and  p.n  to  indicate  concatenation  at  either  end  of  a  finite  list, 
and  we  write  e  for  the  empty  sequence. 

^An  alternative  formulation,  ostensibly  simpler  but  conveying  the  same  semantic  in¬ 
formation,  is  possible  if  we  allow  expressions  with  side-effects.  In  this  case  we  could  take 
[chan[r]]iy  =  (14  [commjiy)  x  |exp[r]|M7’. 
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The  command  Mx  at  world  W  and  in  environment  u  has  traces  of  the 
form 

{{v,n.p),{n,p)) 

for  n,n  e  VintiP  €  Knt-  command  h\{x  +  1)  has  traces  of  the  form 

((n,/)),(n,p.(n  +  l))), 

and  the  command  /i?x||/i!(a:  +  1)  has  traces  including  the  following  forms: 

•  ((uo,no./)o),(no,/3o))((ui,pi),(ui,Pi-(ni  +  1))),  representing  input  fol¬ 
lowed  by  output,  possibly  after  a  state  change  from  the  environment; 

•  ((uo,Po),  (uo,Po-(vo  +  l)))((ui, ni.pl),  (ni,pi)),  representing  output  fol¬ 
lowed  by  input,  again  possibly  after  action  by  the  environment; 

•  ((u,  e),  (u  -1- 1,  e)),  representing  a  synchronized  input-output,  which  be¬ 
haves  like  a  “distributed  assignment”.  This  trace  actually  arises  by 
mumbling  together  an  output  ((u,  e),  (u,  v  -1- 1))  and  an  input  ((u,  v  -f 
1),  (u  -f 

Traces  in  which  a  state  change  occurs  across  a  step  boundary,  such  as  the 
first  two  cases  above,  reflect  the  potential  for  interaction  with  another  process 
executing  concurrently. 

The  above  discussion  did  not  cover  the  case  when  a  process  wants  to 
perform  input  but  the  intended  channel  is  empty.  It  seems  reasonable  to 
model  this  situation  as  a  form  of  busy  waiting,  since  such  a  process  will 
keep  waiting  for  an  output  to  the  channel  by  another  process;  while  waiting, 
the  process  never  changes  the  state,  and  the  waiting  continues  provided  the 
channel  stays  empty.  In  trace-theoretic  terms  this  amounts  to  a  form  of 
infinite  stuttering.  Thus,  revisiting  the  above  example,  the  traces  of  h7x  also 
include  infinite  stuttering  traces  of  the  form 

((uo,  e),  (vo,  e))((ui,  e),  (ui,  e)) . . .  ((un,  e),  {vn,  e))... 

This  is,  of  course,  consistent  with  our  view  of  output  as  non-blocking,  input 
as  blocking  when  the  intended  channel  is  empty. 
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3.6  Semantic  issues 

The  discussion  above  indicates  how  to  model  input,  output,  and  parallel 
composition.  As  usual,  sequential  composition  is  modelled  by  concatenation 
of  traces.  Assignment,  conditional  and  while-loops  may  be  handled  in  the 
standard  way  too,  as  in  our  earlier  treatment  of  shared-variable  parallelism. 
Recursion  and  while-loops  are  interpreted  via  greatest  fixed  points[W]  in  order 
to  deal  appropriately  with  both  finite  and  infinite  traces. 

As  in  CSP  our  language  includes  a  form  of  “external”  choice;  however, 
because  of  our  assumption  that  output  is  non-blocking,  it  seems  most  natural 
to  permit  the  use  of  external  choice  only  when  the  guards  involve  input.  It 
is  then  straightforward  to  model  a  combination  such  as 

{alx  ->  Pi)n(fe?a:  P2), 

which  can  either  input  on  a  and  behave  like  Pi,  or  input  on  b  and  behave 
like  P2,  or  busy- wait  while  a  and  b  are  both  empty.  In  contrast  an  “internal” 
choice 

{alx  Pi)  n  {blx  ->•  P2) 

can  busy-wait  if  either  a  or  6  is  empty. 

Local  channel  declarations  can  be  handled  rather  simply  using  an  exten¬ 
sion  of  the  idea  used  in  our  shared-variable  model  to  deal  with  local  variables. 
The  traces  of  newchan[r]  h  in  P  at  world  W  and  environment  u  axe  obtained 
from  traces  of  P  in  world  W  xV*  and  suitably  adjusted  environment  u',  by 
projecting  onto  the  VF-components  in  each  step,  assuming  that  initially  the 
V^*-component  is  e  and  that  this  component  never  changes  across  step  bound¬ 
aries.  In  other  words,  only  the  locally  interference-free  traces  of  P  contribute 
in  this  construction,  where  we  say  that  a  trace  is  locally  interference-free  if 
it  has  the  form 

((tCo,  e),  (u>o,/)i))((u;i,/9i),  iw[,p2))  .  .  .  {{Wn,Pn),  «,/3n+l))  •  •  • 

(either  finite  or  infinite).  When  applied  to  the  example  discussed  above,  this 
shows  that 

newchan[r]  h  in  {h\e\\hlx) 

has  the  same  traces  (modulo  stuttering  and  mumbling)  as  the  assignment 
x:=e,  as  expected.  Moreover,  in  this  interpretation  we  also  have 

newchan[T]  h  in  (h!0;  P)  =  P 
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if  h  does  not  occur  free  in  P.  Note  also  that 


newchan[r]  h  in  (/i?x;P) 

has  only  infinite  stuttering  traces,  because  of  the  unrequited  request  for  input. 
Again,  notice  how  these  laws  reflect  our  assumptions  that  an  attempt  to  input 
from  an  empty  channel  is  blocked  but  output  is  asynchronous. 


3.7  Category-theoretic  issues 

In  Oles’  category  a  world  is  a  countable  set  W,  typically  a  product  of  the 
form  hi  X  •  •  •  X  Vfc,  whose  elements  (states)  specify  values  for  the  finitely 
many  variables  currently  in  scope.  A  morphism  from  world  W  to  world  X  is 
a  pair  (/,  Q)  in  which  f  :  X  W  is  &  function,  Q  is  an  equivalence  relation 
on  X,  and  /  puts  each  equivalence  class  in  bijection  with  W.  Intuitively,  X 
is  a  set  of  “large”  states  each  extending  a  “small”  state  in  W;  /  maps  each 
large  state  to  the  corresponding  small  state;  and  Q  identifies  all  pairs  of  large 
states  with  identical  “extra”  structure.  For  each  pair  of  objects  W  and  V 
there  is  a  canonical  “expansion”  morphism  from  IF  to  IF  x  V"  of  the  form 
(fst  :W  y.V  V-iQ),  where  (w,v)Q(w\v')  v  =  v'.  Every  set-theoretic 
isomorphism,  such  as  swap  :  W  xV  V  xW,  yields  an  isomorphism  of  worlds 
when  equipped  with  the  obvious  universal  equivalence  relation  (so  that  there 
is  a  single  equivalence  class).  Oles  showed  that  every  morphism  of  worlds  is 
expressible  as  the  composition  of  an  isomorphism  with  an  expansion. 

In  adapting  the  possible  worlds  approach  to  deal  with  channels  we  need 
to  generalize  the  nature  of  worlds  and  of  morphisms.  A  typical  world  in  the 
above  discussion  had  a  structure,  up  to  isomorphism,  like 

iV^x---xVk)x{H;x---xH:) 

where  each  Vi  and  Hj  is  the  set  of  values  for  some  data  type  r.  Expansion 
morphisms  still  account  for  local  variable  declarations  adequately,  and  it  is 
tempting  to  try  to  model  a  local  channel  declaration  by  means  of  an  expan¬ 
sion  introducing  an  extra  V*  component  to  the  state.  However,  we  need  to 
refine  the  notion  of  morphism  so  that  we  only  permit  isomorphisms  that  re¬ 
spect  the  queue  structure  of  channel  components.  To  show  why  this  degree 
of  care  is  needed,  consider  the  list-reversal  function  from  V*  to  V*.  Even 
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though  this  is  a  set-theoretic  isomorphism,  it  does  not  make  sense  computa¬ 
tionally  as  a  morphism  of  worlds:  it  is  not  sensible  to  expect  a  command’s 
meaning  to  be  essentially  unchanged  if  the  contents  of  all  channel  queues  are 
reversed.  (For  example,  consider  an  input  command  hlx.)  The  presence  of 
such  a  morphism  of  worlds  would  thus  prevent  us  from  interpreting  input 
and  output  commands  as  natural  transformations,  precluding  the  develop¬ 
ment  of  a  functor  category  semantics.  Instead  we  must  constrain  our  choice 
of  morphisms  so  that  the  only  allowed  isomorphisms  between  channels  are 
those  that  respect  the  prefix  ordering  on  channel  contents. 

To  generalize  the  Oles  category  in  a  satisfactory  manner,  building  in 
enough  extra  structure  to  permit  an  abstract  treatment  of  channels,  we  there¬ 
fore  work  with  worlds  equipped  with  a  partial  order  (based  on  the  use  of  the 
prefix  ordering  on  sequences).  Without  loss  of  generality  we  may  restrict 
attention  to  countable  distributive  posets  W  in  which  all  elements  are  finite 
and  dominate  only  finitely  many  other  elements.  Posets  formed  as  products 
of  flat  domains  and  prefix-ordered  sets  of  finite  sequences  have  these  prop¬ 
erties,  so  that  this  class  of  posets  is  general  enough  to  include  the  worlds 
arising  in  our  semantic  definitions.  We  take  as  morphisms  from  (W,  <vv")  to 
(X,  <;f)  all  pairs  {f,Q)  in  which  f  :  X  -i’  W  is  monotone  and  induces  an 
order-isomorphism  with  W  on  each  Q-class.  This  clearly  generalizes  the  Oles 
category  in  a  natural  way  and  does  not  permit  morphisms  that  violate  the 
queue  discipline.  Every  morphism  can  be  expressed  as  the  composition  of  an 
expansion  with  an  order-isomorphism. 

Following  the  line  of  development  in  [13]  we  then  show  that,  using  our  cat¬ 
egory  W  of  worlds  and  the  category  D  of  domains  and  continuous  functions, 
the  functor  category  is  cartesian  closed.  This  then  permits  us  to  use  the 
ccc  structure  to  interpret  the  A-calculus  fragment  of  our  language.  As  usual, 
each  phrase  type  denotes  a  functor  from  worlds  to  domains,  and  each  well- 
typed  phrase  denotes  a  natural  transformation  from  an  environment  functor 
to  a  result  functor.  Naturality  enforces  certain  locality  properties,  and  as  a 
consequence  the  model  validates  laws  of  equivalence  such  as 

newchan[ri]  hi  in  newchan[r2]  h^  in  P 

=  newchanfrj]  h2  in  newchanfri]  hi  in  P, 

expressing  the  property  that  the  order  of  declaration  of  channels  is  irrelevant, 
and 

newchan[T]  h  in  (P1IIP2)  =  (newchan[r]  h  in  Pi)||P2, 
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provided  h  does  not  occur  free  in  P^. 


4  Examples 

4.1  Buffers 

The  semantics  correctly  handles  the  examples  discussed  earlier.  Thus  the 
one-place  buffer  procedure  buffl{left,  right),  when  called  at  world  x 
in  a  suitable  environment,  has  the  trace 

{(0,  €),(£,£)) 

((l.£).(1.0)) 

{(1,0),  (£,0)) 

{(2,0), (2, 01)) 

representing  input  of  0,  output  of  0,  input  of  1,  and  so  on.  It  also  has  a  busy- 
wait  trace  ((e,  e),  (e,  e))‘^,  representing  its  behavior  when  the  input  channel 
is  persistently  empty.  The  unbounded  buffer  process  buff{left,  right)  also  has 
these  traces,  but  in  addition  has  traces  such  as 

((0,  e),(e,  e)) 

((2,0,  (2,0)) 

showing  the  ability  to  input  two  items  before  outputting  one.  Note  that 
the  unbounded  buffer  process  cannot  accept  input  forever  without  eventually 
yielding  an  output;  this  liveness  property  is  captured  by  the  use  of  fairmerge. 


4.2  Prime  numbers 

Another  traditional  example  is  the  Sieve  of  Eratosthenes,  involving  a  proce¬ 
dure  Steve  of  type  expint  x  chan[int]  comm  and  a  procedure  filter  of 
type  exp[int]  x  chan[int]  x  chan[int]  comm: 

procedure  filter{p,  in,  out)  = 

new[int]  x  in  while  true  do  (m?x;  if  x  mod  p^O  then  outlx)-, 
procedure  sieve{p,c)  = 

[dp]  newchan[int]  h  in  filter{p,  h,  c)  ||  sieve{p  -1- 1,  h))‘. 
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If  c  is  an  integer-carrying  channel  variable  the  call  sieve(2,c)  results  in  the 
outputting  of  the  prime  numbers  in  ascending  order  on  this  chaimel.  Note 
that  each  recursive  call  to  sieve  introduces  new  parallel  processes  sharing  a 
local  channel,  and  each  call  to  filter  makes  use  of  a  local  variable  to  hold  the 
integer  currently  being  tested  for  divisibility.  Actually  this  implementation 
of  the  sieve  method  is  rather  inefficient,  creating  a  “filter”  even  for  non-prime 
numbers.  Here  is  an  alternative  version  in  which  this  inefficiency  is  avoided: 

procedure  sift{in,  out)  = 
newchan[int]  h  in 
new[int]  p  in 
begin 

in?p;  outlp] 

filter{p,  in,  h)  ||  sift{h,  out) 
end 

procedure  nats{k,  c)  —  {elk;  nat${k  +  1,  c)); 
procedure  primes{c)  — 

newchan[int]  h  in  nats{2,  h)  [j  sift{h,  c) 

The  phrase  sieve{2,  c),  evaluated  in  world  with  c  bound  to  the  obvious 
channel,  has  the  trace 

(e,  2)(2,  2.3)(2.3,  2.3.5)... 

as  expected,  corresponding  to  the  ability  to  output  the  prime  numbers  in 
ascending  order.  The  alternative  version  primes {c)  also  has  this  trace. 

4.3  Concurrent  queues 

The  following  examples  illustrate  two  isomorphic  implementations  of  a  “con¬ 
current  object”  that  represents  an  integer  queue  equipped  with  methods  for 
enqueueing  and  dequeueing.  Each  implementation  involves  the  use  of  a  local 
channel.  The  second  implementation  uses  integer  negation  to  “code”  and 
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“decode”  all  transmitted  items. 


newchan[intj  h  in 
procedure  put{y)  =  h\y; 

procedure  get{z)  =  new[int]  x  in  [Wlx]  z:=a:); 
begin 
P{put,  get) 

end 


newchan[int]  h  in 

procedure  put{y)  =  h\{—y)\ 

procedure  get{z)  =  new[int]  x  in  [hlx-,  z:=(— a:)); 
begin 
P{put,  get) 

end 

These  two  phrases,  in  which  P  is  a  free  identifier  of  type 

(exp[int]  — )•  comm)  x  (var[int]  comm)  comm, 

are  semantically  equivalent.  This  can  be  established  by  appealing  to  nat- 
urality  of  [P|  with  respect  to  the  obvious  isomorphism  built  from  idu^  x 
map(An.(— n))  on  VF  x  1^*^. 

4.4  The  Sleeping  Barber 

Next  we  give  an  example  of  a  solution  to  one  of  the  classic  synchronization 
problems  from  the  literature,  the  so-called  Sleeping  Barber  Problem  [7,  1]. 
Imagine  a  barber’s  shop  in  which  a  solitary  barber  repeatedly  cuts  hair,  one 
customer  at  a  time,  and  sleeps  when  not  busy.  If  a  customer  enters  the 
premises  and  finds  the  barber  sleeping  he  wakes  the  barber  and  takes  his 
place  at  the  barber’s  chair  for  a  haircut,  after  which  the  barber  gets  paid 
and  the  customer  leaves;  if  another  customer  is  waiting  the  barber  continues 
operating,  otherwise  he  goes  back  to  sleep.  A  customer  arriving  while  the 
barber  is  busy  will  wait.  We  can  model  this  set-up  in  Idealized  CSP  as  follows. 
Since  the  local  channels  used  here  are  intended  purely  for  synchronization,  we 
use  a  slightly  abbreviated  form  of  syntax  for  input  and  output  (writing  enter? 
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and  hello!,  for  example).  The  procedure  visit  represents  the  protocol  followed 
by  a  customer;  the  argument  c  represents  what  the  customer  intends  to  do 
while  having  his  hair  cut.  Similarly  the  procedure  cut  models  the  protocol 
used  by  the  barber,  and  its  argument  represents  the  task  to  be  performed  by 
the  barber  during  haircut: 

newchan  enter,  leave,  hello,  bye 

procedure  visit{c)  =  {enterl]  hello\\  c;  leave?;  bye!); 
procedure  cut{c)  —  {enter!;  hello?;  c;  leave!;  bye?) 
in  P {visit,  cut) 

For  instance,  if  P  is  instantiated  as 

X{visit,  cut). 

(while  true  do  cut{b) 

II  while  true  do  visit{co) 

II  while  true  do  visit{ci)) 

then  the  above  phrase  becomes  semantically  equivalent  to 

while  true  do  {b  ||  (co  or  ci)), 

where  cq  or  Ci  is  a  command  that  chooses,  non-deterministically,  to  behave 
either  like  cq  or  like  Ci. 

Note  that  this  program  structure  does  not  prevent  individual  starvation  - 
there  are  fair  executions  of  this  program  in  which  ci  never  occurs,  so  that  the 
second  customer  never  gets  his  hair  cut.  To  avoid  starvation  one  can  modify 
this  example  to  make  use  of  “tickets”,  so  that  on  entering  the  barber  shop  a 
customer  must  take  a  numbered  ticket,  at  the  same  time  incrementing  a  local 
counter  to  prevent  multiple  uses  of  the  same  ticket  number.  We  then  modify 
the  customer  definition  to  include  a  wait  until  the  assigned  ticket  is  “next” . 
One  way  to  achieve  this  employs  a  “counter”  maintained  by  the  barber.  We 
leave  the  details  to  the  reader. 


4.5  A  sorting  network 

Here  is  a  well  known  way  to  construct  a  network  of  merge  processes  for 
sorting  a  sequence  of  integers  [1].  We  suppose  that  the  sequence  to  be  sorted 
is  presented  along  a  channel  in,  terminated  by  the  special  value  EOS.  When 
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n  >  0  and  in  and  out  are  distinct  integer  channels,  sort{n,  in,  out)  reads  in 
2”  integers  from  channel  in  and  outputs  the  corresponding  sorted  sequence 
on  out,  followed  by  the  EOS  signal.  First  we  specify  the  merge  procedure,  of 
type 

chan[int]  x  chan[int]  x  chan[int]  comm, 

as  follows: 

procedure  merge{a,b,c)  = 
newfint]  vi,  V2  in 
(a?ui;  b?V2; 

while  Vi  ^  EOS  kv2-=^  EOS  do 

if  Vi  <  V2  then  {clvi,  alvi)  else  (c!u2; 
while  vi  ^  EOS  do  (clui;  a?ui); 
while  V2  EOS  do  (c!t;2;  b'lv2)', 
dEOS) 

The  sorting  procedure,  of  type  exp[int]  x  chan[int]  x  chan[int]  ->  comm, 
is  then: 

procedure  sort{n,  in,  out)  = 

if  n  =  0  then  new[int]  v  in  (m?u;  outlv,  o«t!E0S)  else 
newchan[int]  ini,  in 

sort{n  —  1,  in,  ini)  I1  sort{n  —  1,  in,  m2)  1|  merge{ini,  m2,  out) 


Correctness  of  this  procedure  can  be  shown  by  induction  on  n. 


5  Related  and  Future  Work 

The  semantics  outlined  above  is,  when  restricted  to  the  CSP-like  subset  of 
the  programming  language,  close  in  spirit  to  the  “communication  traces” 
semantics  described  in  [5].  This  earlier  semantics  was  fully  abstract  with 
respect  to  a  simple  notion  of  program  behavior.  It  seems  likely  that,  at 
leeist  at  ground  types,  full  abstraction  can  be  achieved  for  Idealized  CSP  by 
imposing  certain  reasonable  closure  conditions  on  trace  sets,  akin  to  the  use 
of  “stuttering”  and  “mumbling”  [3],  and  ensuring  that  the  language  includes 
a  suitable  form  of  conditional  atomic  action. 


Our  semajitics  treats  channels  in  a  more  implicit  manner  than  earlier 
trace-based  approaches  such  as  [5].  Indeed,  these  earlier  semantics  assume 
that  a  network  of  processes  behaves  as  if  it  really  executes  in  a  step-by-step 
manner  according  to  some  interleaving  of  atomic  actions,  since  a  trace  typ¬ 
ically  represents  an  interleaving  of  the  histories  of  all  channels.  However, 
when  modelling  a  network  of  processes  it  seems  natural  to  want  to  reason 
about  the  histories  of  separate  channels  as  separate  entities,  rather  than  rea¬ 
soning  about  a  single  combined  history.  A  transition  trace  does  not  blend 
the  histories  on  separate  channels  into  a  single  sequence,  and  the  internal  se¬ 
quencing  of  a  trace  can  accurately  reflect  information  about  the  relative  order 
of  activity  on  different  channels  during  computation.  Thus  our  semantics  is 
closer  in  spirit  to  “true  concurrency”  than  traditional  trace  models. 

Our  treatment  of  deadlock  was  rather  straightforward,  but  might  be  crit¬ 
icized  on  the  grounds  that  we  equate  deadlock  with  busy-waiting.  Neverthe¬ 
less  such  a  busy-wait  interpretation  is  consistent  with  an  operational  notion 
of  behavior  in  which  we  are  allowed  to  observe  the  state  periodically  during 
execution,  as  well  as  to  observe  (successful)  termination.  A  process  waiting 
for  input  would  then  be  indistinguishable  from  one  executing  a  busy  loop.  It 
would  be  interesting  to  see  if  the  “fair  failures”  semantics[6,  10]  of  CSP  can 
also  be  adapted  to  the  procedural  setting. 

Our  framework  appears  to  be  robust  enough  to  handle  a  variety  of  paradigms 
of  communicating  process,  ranging  from  synchronized  communication  (as  in 
CSP)  to  asynchronous  communication  using  unbounded  buffers  (as  shown 
here);  with  suitable  adjustments,  it  should  even  be  possible  to  model  asyn¬ 
chronous  communication  with  bounded  buffers.  In  this  paper  we  have  allowed 
processes  to  share  state.  Our  framework  can  also  handle  the  case  where  pro¬ 
cesses  axe  required  to  have  disjoint  states,  as  in  the  original  CSP.  The  main 
difference  is  that  when  states  of  parallel  processes  can  be  assumed  disjoint  it 
makes  sense  to  combine  states  in  a  tensor-like  manner  when  forming  a  parallel 
composition,  rather  than  assuming  that  the  component  processes  share  the 
same  state.  It  is  also  worth  noting  that  our  rather  abstract  object-oriented 
view  of  channels  is  general  enough  to  model  a  wide  variety  of  communication 
mechanisms,  such  as  “lossy”  channels  which  may  lose  or  duplicate  data.  This 
suggests  again  that  the  ideas  presented  here  may  prove  to  be  more  widely 
applicable. 

The  trace  semantics  given  here  for  Idealized  CSP  may  also  be  recast  into 
a  parametric  setting,  taking  account  of  relations  between  worlds[12].  This 
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permits  an  elegant  generalization  of  the  principle  of  representation  indepen¬ 
dence,  familiar  from  the  use  of  abstract  datatypes  and  modules  in  sequential 
programming,  to  the  CSP-like  setting.  Recent  work  of  Lazic  and  Roscoe[ll] 
has  shown  that  relational  parametricity  can  be  used  to  tame  the  combinato¬ 
rial  explosion  inherent  in  applying  model-checking  techniques  to  networks  of 
communicating  processes.  Their  use  of  parametricity  seems  fundamentally 
different  from  our  use  of  possible  worlds  and  relations  between  worlds;  we 
plan  to  investigate  the  connections  between  their  approach  and  ours.  A  re¬ 
lated  issue  is  polymorphism;  it  is  obvious  that  some  of  our  examples,  such 
as  buffer  procedures,  may  be  given  a  sensible  polymorphic  type,  in  this  case 
VT.(ch£in[r]  x  chan[T]  — >•  comm).  We  plan  to  examine  the  consequences  of 
allowing  polymorphic  types,  at  least  permitting  quantification  over  datatypes 
as  shown  here.  The  use  of  this  form  of  type  indicates  a  “data  independence” 
property  of  the  phrase  in  question:  a  buffer  behaves  the  same  way  regardless 
of  the  type  of  its  contents. 

Our  examples  involving  concurrent  queues  illustrate  a  methodology  for 
using  local  variables  and  channels  together  with  procedures  that  operate  on 
them  to  achieve  an  “object-oriented”  style,  in  which  the  rest  of  the  program 
is  only  permitted  to  interact  with  the  local  data  by  calling  one  of  the  supplied 
procedures.  In  the  concurrent  setting,  this  technique  can  be  used  to  mimic 
the  use  of  “monitors”  [9,  2],  originally  proposed  as  a  concept  for  structuring 
the  design  of  operating  systems.  Thus  our  semantics  can  be  used  to  rea¬ 
son  about  the  correctness  of  classic  algorithms  from  the  operating  systems 
literature. 
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